The headlines have come thick and fast over the past few weeks in relation to the ‘Marriott Hack’. We all know the story: 500 million guest reservations from its Starwood database have been stolen. There are numerous lessons to be learned in regards to responding to this kind of incident, one of which is the importance of 'domain usage' when sending out emails.... (>)

If you’ve been monitoring the Exploits Block List (XBL) recently you will have noticed a significant increase in the number of listings. The past few weeks have seen a lift from approximately 10 million to 15 million listings. The question is why? Our botnet specialist explains…... (>)

The real answer is that it is far too early to tell. Various articles currently state that “nothing has happened” as a result of GDPR and “spam has fallen slightly;" however, the true effects of GDPR providing anonymity to domain owners will take a long time to play out. The main crux of the matter isn’t the effect GDPR is having on spam levels, but how it’s hampering organizations from effectively stopping career cybercriminals from defrauding innocent people.... (>)

Early this year, in March 2018, Microsoft’ Windows Defender Research Team in Redmond published some interesting insights into a massive malware campaign distributing a dropper/loader called Smoke Loader (also known as Dofoil). The main purpose of the documented campaign was to distribute a coin miner payload that is using infected machines to mine crypto currencies. Within 12 hours, Windows Defender recorded more than 400,000 instances, but could deploy appropriate countermeasures on computers running Windows within seconds. As further analysis from Spamhaus Malware Labs revealed, these countermeasures did not stay unattended by the malware authors behind Smoke Loader.
Runtrace... (>)

Take a look at org charts, international standards, conferences and forums…you will observe there are two tribes; one for the ‘network’ the other for ‘applications’. It’s a distinction that’s embedded in Information Technology with the Network Layer ‘below’ all applications with a dedicated team dealing with connectivity, routers, upstreams and peering, all quite independently from the nature of the data that is flowing. Another team deals with ‘applications’; email, web services, etc., that do their job without having to consider the underlying aspects related to networking.... (>)

Now that 2017 is behind us, as we do each year, the Spamhaus Project would like to give some numbers and thoughts on the botnet threats we encountered. In 2017, Spamhaus Malware Labs identified and issued Spamhaus Block List (SBL) listings for more than 9,500 botnet Command & Control servers on 1,122 different networks. A botnet controller, commonly abbreviated as "C&C", is being used by fraudsters to both control malware infected machines and to extract personal and valuable data from malware infected victims. Botnet controllers therefore play a core role in operations conducted by cybercriminals who are using infected machines to send out spam, ransomware, launch DDoS attacks, commit ebanking fraud, click-fraud or to mine cryptocurrencies such as Bitcoin. An infected machine can be a desktop computer, mobile device (like a smartphone) but also an IoT device ("Internet Of Things") device such as webcam or network attached storage (NAS) that is connected to the internet.... (>)

Spamhaus Malware Labs - Spamhaus's malware research unit - recently observed a wave of new PandaZeuS malware samples being distributed during the Christmas season. PandaZeuS, also known as Panda Banker, is an ebanking Trojan that evolved from the notorious ZeuS trojan and is being used by different threat actors to compromise ebanking credentials, used by cybercriminals to commit ebanking fraud.... (>)

Over the past three weeks, some of our users have noticed that the XBL (CBL) database has grown substantially in size. There are two major reasons for this.
1) Increase from the Internet of Things (IoT)
2) Increase From Andromeda botnet takedown... (>)

The government of France provides lists of email addresses to French political candidates for them to use when sending campaign emails. Unfortunately these lists have many spamtrap addresses on them. Our spamtrap email addresses cannot have been legitimately subscribed to this list, and most assuredly do not belong to French voters. The presence of spamtraps is evidence that other addresses on... (>)

Cloud computing is popular these days. Millions of users consume computing power out of the cloud every day. Cloud computing comes with several advantages over traditional server hosting, such as scalability and quick deployment of new resources.
As of January 2017, several large botnet operators appear to have discovered the benefits of cloud computing as well, and have started to... (>)

2016 was a busy year for existing and emerging cyber threats. In the past year, Spamhaus researchers issued listings for over 7,000 botnet Command & Control ("C&C") servers on more than 1,100 different networks. These C&C servers enabled and controlled online crime such as credential theft, e-banking fraud, spam and DDoS attacks. They were also used for the retrieval of stolen data. 2016 will also go down in history as the first year that security issues related to the 'Internet-of-Things' not only became mainstream, but turned into a serious enabler of ever larger attacks and a source of many future problems.... (>)

As we discussed in a previous article, allocations of IP addresses (IPv4 addresses) are getting hard to come by, especially for spammers. Because the IP addresses they use quickly get a bad reputation as sources of spam, spammers constantly need fresh IPs that are... (>)

Internet harassment is becoming an increasingly ugly and widespread issue,
and over the weekend of August 13-14 it spilled into territory we could do
something about. After a few weeks of low level activity, over that weekend
some unknown cyber criminals launched a targeted attack on over 100 government
email addresses, using bots to create mailing list subscription requests at
the rate of over 1000 per minute. Effectively, this was a denial of service
attack, rendering the government mailboxes useless for considerable time.
Over the next couple of months the targets expanded from government addresses
to others, some of which were targeted and timed to be especially disruptive.... (>)

Filling in The Spamhaus Project's domain panorama in our "Top-10 Worst" pages, we have added a page for The 10 Most Abused Domain Registrars. It breaks out by registrar the ratio of bad domains versus total domains as seen by our systems in the course of a rolling two-week window. While other registrars have numerically more bad domains, that is a result of the sheer size of their domain corpus, and they have a lower ratio of bad to good domains. Those larger registrars take effective measures to prohibit spammers and remove bad domains from their services, and thus polish their own reputations.
... (>)

Starting with 1st June 2016, you can look up an IP address on any Spamhaus zone that supports SBL lookups, and verify whether that IP address is on DROP/eDROP. An IP address that is listed on DROP or eDROP will return 127.0.0.9 in addition to 127.0.0.2.... (>)

The Spamhaus Project has added a new list to its Top-10 Worst pages, this time for Top Level Domains (TLDs). This domain data is designed to complement the recent additions to our IP address data announced in a previous news blog.... (>)

Over the past few years, spammers have sought out large ranges of IP addresses. By spreading out their sending patterns across a wide range of IP addresses, they can attempt to defeat spam filters and get spam and malware emails delivered where they are not wanted. However, IPv4 addresses are getting scarce and hard to come by. In fact, as of... (>)

In the summer of 2015, the number of SBL listings involving SoftLayer Technologies (an IBM company) increased rapidly, bringing Softlayer to the #1 spot on the Spamhaus Top 10 list of most problematic ISPs. This attracted a great deal of attention, because Softlayer has traditionally been a responsible ISP, and has made a number of contributions to the security and anti-spam industries. As one would expect, this situation prompted questions.... (>)

About a month ago the Spamhaus Project added several new lists to its Top-10 Worst pages. These are in addition to our existing Top-10 lists: Worst spammers, spammer hosting nations and spammer hosting Internet Service Providers (ISPs).
Every second of every hour of every day Spamhaus collects a vast quantity of real-time threat intelligence from around the globe. We analyze and use this data to produce the data sets that protect billions of users from spam and other attack threats.... (>)

Some of you may remember Spamhaus' dispute with Nic.at (the registry of .at ccTLD - "country code Top Level Domain") back in 2007. At that time, we saw a massive amount of the "Rock Phish" gang's phishing domain names being registered within .at for the exclusive... (>)

Email verification services help avoid undeliverable messages in situations such as point-of-sale transactional e-mail, but they do not verify the permission of the address owner, which is the most important step to avoid spam when acquiring addresses for bulk emailing lists, nor do they verify whether a transactional message is sent to the same person as the person making the transaction.... (>)

Nowadays many companies and organizations (non-profits, units of governmental and educational institutions, etc) believe that running their own mail servers has become an impossible task, due both to the large amount of inbound spam and to the continuous attempts by spammers to send outbound spam through their mail servers. Companies often lack in-house technical resources to configure and... (>)

On the evening of Wednesday, 18th February 2015, The Spamhaus Project lost a long-time friend and member of its team. A spam fighter from deep in the trenches, Ellen R. was known to many in this community for her earlier role at SpamCop. Fewer knew of her contributions at Spamhaus: After her retirement she came to work as a volunteer with us. Her efforts here helped stop billions of spams from reaching billions of people's mailboxes. Her life made the world a better place, especially for those in this community, and she will be missed.... (>)

As 2014 ends, Spamhaus reviews the botnet threats that it detected in
the past year, and provides facts and useful suggestions for ISPs and
web hosts on the front lines of the battle against cybercrime. To
nobody's surprise, botnet activity appears to be increasing. The
majority of detected botnets are targeted at obtaining and exploiting
banking and financial information. Botnet controllers (C&Cs) are hosted
disproportionately on ISPs with understaffed abuse departments,
inadequate abuse policies, or inefficient abuse detection and shutdown
processes. Botnet C&C domains are registered disproportionately with
registrars in locations that have lax laws or inadequate enforcement
against cybercrime.... (>)

For many years, speaking of "botnet spam" mainly meant speaking about compromised Windows systems. However, in the last few years this assumption is no longer entirely true.
Looking at the number of distinct sources, the vast majority of emitters are still about the same as before, but looking at volumes we see that a large part of email spam now comes from abused Linux/Unix systems. Part of... (>)

The Spamhaus Project again offers congratulations and thanks to the law enforcement community in the matter of the massive Distributed Denial of Service (DDoS) attack perpetrated against our systems in March 2013 by a Russian-based anti-Spamhaus group calling themselves 'Stophaus', consisting of several individuals with grievances against... (>)

Moving into IPv6 presents many, many challenges. Among the myriad tasks which are required in that transition, many IT admins and techs will find the need to search and filter IPv4 and IPv6 addresses matching CIDR patterns in data related to both those IP addressing systems. The standard tool for many admins to do... (>)

Spamhaus engineers have been busy developing new data for the Spamhaus Domain Block List (DBL) during the past several months. Our efforts have produced several specialized subsets of the DBL data set which will provide Spamhaus DBL users with better protection against spam as well as against other cyber threats (bots and malware) which are... (>)

After over 3-years of non-stop work stealing millions from people and companies on the internet, the cybercriminals behind the thefts will have some free time on their hands.
Last week a group of Internet security organizations including the Spamhaus Project, several IT security companies, and the
cybercrime departments of ten national law enforcement agencies crippled the... (>)

Today, The Spamhaus Project is both happy and proud to announce the official launch of the Spamhaus CERT Insight Portal. The aim of the new web portal is to help Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Team (CSIRTs) with a national or regional responsibility to protect their critical infrastructure and IP address space from... (>)

Report regarding the SBL listings of spam operations on Resilans AB (resilans.se).
Spammer IP address space at Resilans
Spamhaus became aware of Resilans AB leasing netblocks to spam operations in August 2013. We listed those ranges and notified Resilans. Despite notification, the ranges they allocated in August were... (>)

ICANN's Security and Stability Advisory Committee (SSAC) document Advisory on DDoS Attacks Leveraging DNS Infrastructure, published this week, provides a much-needed touchstone for the Internet in its current state. DDoS attacks, such as the one... (>)

1997-2003: THE OPEN RELAY ERA
Around 1997, a company named Cyber Promotions (a/k/a Cyberpromo) was the first to start spamming Internet users on a massive scale. Cyberpromo first did this from their own mail servers, relying on... (>)

Spamming is always bad, but it is just plain foolish to spam addresses at spamhaus.org. While Spamhaus SBL listings are based on much wider views of spam than our own mailboxes, our mailboxes can tell us what we should look for. So when over the weekend the U.S. Direct Marketing Association (DMA) decided to spam, it would have been wiser to leave Spamhaus... (>)

The Spamhaus Project offers congratulations and its sincere thanks to the Dutch Public Prosecution Service (OM), the Dutch National High Tech Crime Unit (NHTCU) of the Dutch Police Services Agency... (>)

A number of Internet users are reporting a fresh version of a ransomware virus circulated by cyber criminals which exploits the name and image of Spamhaus to trick computer users into paying fake fines using MoneyPak. Computer users should know that no authorities or organizations (including Spamhaus) use screen blocking messages... (>)

At this time The Spamhaus Project is getting more press enquiries than we can personally respond to. Below is a list with the most frequently asked questions, along with our answers. If you are in need of any additional information please do not hesitate to contact us but we cannot guarantee a quick response. Our staff are almost all investigators and engineers who focus on dealing with spam... (>)

Some months ago a number of bloggers wrote about The Spamhaus Project's "new" spamtraps. Some asserted that we were suddenly targeting transactional messages. Others noticed the timing of new SBLs based on those "new" traps and one concluded that we had decided to publish our advisories during the Christmas season, the time of year that retail companies see the bulk of sales and that would... (>)

During the past few weeks, Spamhaus has worked hard to shut down a botnet called "Virut".
Virut take down
Virut is a worm that spreads through removable drives such as USB sticks and network shares, but it also has file infection capabilities it uses to spread itself. Virut was first detected in 2006 and became a serious threat with an estimated size of... (>)

Hosting providers are increasingly asking Spamhaus how they can prevent so-called "fraudulent sign-ups" -- new customers whose only intention is to spam, host malware, host botnet controllers, or engage in other activities that are forbidden by the hosting provider's acceptable use policy (AUP). Such customers normally target cheap VPS and cloud hosting with automated sign-up procedures. ... (>)

In July 2012, FireEye in cooperation with other security organisations, such as Spamhaus, took down the Grum botnet. At that time Grum was the third largest spam-sending botnet. The event gained considerable media attention.... (>)

Geneva, 12 June 2012
Today the Spamhaus Project announces the release of a new service -- the Spamhaus BGP feed (BGPf). The BGPf serves three Spamhaus lists by using the Border Gateway Protocol (BGP). It is intended to be used primarily by Internet Service Providers (ISPs), web hosting providers, and network service providers (NSPs) in their routers to drop bad traffic at the edge... (>)

On 6 June 2012 many major internet service providers (ISPs), home networking equipment manufacturers, and web companies around the world are uniting to redefine the global Internet and permanently enable IPv6 for their products and... (>)

Any account on a legitimate mail server is a valuable resource to a spammer or cybercriminal because it gives access to a server that is unlikely to be blocked from sending email. A spammer can use an account on a legitimate mail server to spam, and reach many more people than if he sent email from an IP that does not host a legitimate mail server. A cybercriminal can use an account on a... (>)

Long time ROKSO-listed spammer Brian "Dr. HGH" McDaid is finally going to pay for his crimes.
This week, in a Philadelphia court, US federal court Judge Stewart R. Dalzell sentenced McDaid to two years in prison and... (>)

In November 2011, new terms and conditions (T&C's) for registering .ru domains were put out by the Coordination Center for the Top Level Domain RU (cctld.ru). The following paragraphs of the new T&C are important to Spamhaus' mission to fight against spam and cybercrime:
5.7. The Registrar may terminate the domain name... (>)

Spamhaus has observed a newer type of distributed denial-of-service attack (DDoS) which has only recently become popular among cybercriminals. In just the past month, several attacks using this method have been investigated by private security firms and law enforcement agencies. During December 2011, Spamhaus sustained an SNMP DDoS on the order of magnitude of the largest DDoS seen to date on the... (>)

After the November 9, 2011 successful law-enforcement dismantling of a huge cybercrime network in an operation dubbed 'Ghost Click', questions were raised as to what Internet Service Providers (ISPs) could have been doing to protect their users, and the internet, from this botnet.
So, could an ISP (or corporation, school,... (>)

On November 9, 2011 the FBI announced the successful dismantling of a huge cybercrime network in an operation dubbed 'Ghost Click'. The target of this joint US and Estonian law enforcement operation is the ROKSO listed gang Rove Digital.
Rove Digital ran a sophisticated operation in which... (>)

This week sees the arrival of LondonCyber, a conference organised by the British Government's Foreign Office and reported to have been so thoroughly stage-managed that the media have been carefully kettled away in a special media centre to ensure they are not allowed to directly interact with any of the attendees.
While many questions are being asked at that conference, we wonder whether the... (>)

If The Netherlands has penalties for filing false reports and wasting police time, Dutch ISP 'A2B Internet' will be looking at a hefty fine. The owner of the small Dutch transit ISP claimed on Tuesday 11 Oct to have filed a report with local police in the Dutch region of Zaanstreek-Waterland accusing Spamhaus of "extortion" and carrying out a "DoS attack" on his network. Spamhaus had flagged A2B... (>)

If one admonishes for poor practice, one should encourage better practice.
On Friday we wrote about an email sent by the UK tax office the formatting of which was ill advised (see UK Tax Office Sends an Invitation to Phishers). The following Monday, Santander UK sends an email... (>)

Phishing. Broadly speaking, sending out emails which misdirect people to supply confidential information to miscreants. One such ruse in the UK has been to send out tax rebate emails purporting to come from the UK tax office, HMRC.
So on Friday, in a stroke of genius, HMRC sent out the following: ... (>)

On the 2nd September 2011 Spamhaus was successful in its final appeal which reduced a baseless $11.7 million default judgment down to $3 (three dollars). Twice the US Court of Appeals for the Seventh Circuit vacated judgments against UK-based Spamhaus made by U.S. Federal Judge Charles Kocoras who had twice awarded fabricated 'lost profits' to a Chicago-based spam sender.
In 2006 the... (>)

All too frequently electronic security breaches result from some form of social engineering trick which entices a user to visit a harmful website by providing a clickable link (URL) with a specially-registered domain which ultimately leads to the user being defrauded or their machine being infected with malware.
Once infected, criminals very quickly gain complete control of that user's... (>)

The Spamhaus Project has released a document outlining Spamhaus' strategy with respect to Spamhaus' IP blocklists and their future in an IPv6 enabled world. Entitled "Spamhaus IPv6 Blocklists Strategy Statement", the document focuses exclusively on IPv6 DNS-based blocklists and gives technical details of how Spamhaus plans to implement them.
The document draws attention to a... (>)

5 March 2011: One year ago this week, The Spamhaus Project released a new spam-blocking advisory list for the world's internet users. Its focus was on the domain side of email filtering. Called the Domain Block List, the DBL has now been in worldwide use for a full year. The reported results have been excellent with the domain filtering ability of the... (>)

On Monday Spamhaus became aware that the main Wikileaks website, wikileaks.org, was redirecting web traffic to a 3rd party mirror site, mirror.wikileaks.info. This new web site is hosted in a very dangerous "neighborhood", Webalta's 92.241.160.0/19 IP address space, a "blackhat" network which Spamhaus believes caters primarily to, or is under the control of, Russian... (>)

Spamhaus.org has been a frequent target of forged e-mails over the years and once again we're seeing a rise in those sorts of spam messages. This time email messages pretending to come from Spamhaus are a social engineering attempt ("phish") to lure victims into installing malware on their computers. Don't fall for it!
Some things to be aware of... (>)

When it became clear that the UK's National Security Strategy (published today) would highlight "Cybersecurity" as one of the most serious threats to the United Kingdom's security, the media were most querulous. Even some of the more experienced journalists seemed to pour immediate scorn on the suggestion that computer-based crime could rank in seriousness alongside terrorist attacks... (>)

"Spamhaus Blocks Gmail" - A catchy headline which certainly got the twitterati going. However, it wasn't true.
Recently some IT websites, including Softpedia and Sucuri, erroneously issued reports of Spamhaus' SBL blocking Gmail. These reports are not true. Google's Gmail service has never been listed in, or affected by, any Spamhaus DNSBL, nor ever would be. Spamhaus quite simply... (>)

Leaving a wake of over 12 years of criminal spamming and trillions of sent junk emails behind him, long time ROKSO-listed spammer Alan Ralsky is finally behind the walls of a US Federal Prison.
After pleading guilty to multiple federal criminal charges, and after time extensions to "get his affairs in order", Ralsky reported to... (>)

1 March 2010: The Spamhaus Project is proud to release its newest spam-blocking advisory list to the world's internet users, this time focused on the domain side of email filtering. Called simply the Domain Block List, the DBL has been in beta testing for much of 2009 on production ISPs and corporate servers in Europe, Asia and North America, and results... (>)

The idea of "opt in" is central to the legitimate, non-spam use of bulk e-mail. Without "opt in" policies, any and all e-mail addresses will be spammed relentlessly until they "opt out", and likely even after that. "Opt in" means that the recipient--the e-mail address owner--knowingly and intentionally subscribes to a specific list before the bulk list-mail commences. Permission to send bulk... (>)

Unfortunatly for Renukanth Subramaniam, the "loner with a modest lifestyle" who helped run the secretive website where cybercriminals traded stolen credit card data, his friends will probably be fellow inmates in a Her Majesty's Prison Service institution.
Subramaniam was remanded into custody in London after earlier pleading guilty to conspiracy to defraud and five counts of furnishing... (>)

China Internet Network Information Center (CNNIC) - China's own domain regulator - last week criticised Xinnet.com and some other Chinese registrars for the excessive inaccuracy in registration information (called "Whois" data).
From this week, buyers of ".cn" Country Code Top Level Domains (ccTLDs) are required to provide paperwork - such as company credentials and a... (>)

In October, Comcast Corporation, the USA's largest provider of high-speed Internet to private homes, announced the roll-out of its new Constant Guard security initiative. The system will provide in-browser notifications about possible virus infections. If the system detects a possible problem, a "service notice" will appear in the customer's web browser that tells them that a virus has been... (>)

On the two-month anniversary of our announcement of the Spamhaus CSS, we thought it's time to take a look at its effect against this type of spamming. As we had mentioned, while filtering methods for botnet spam are now quite effective, a new breed of static-IP address spammers had evolved, and their spam was evading many filters. It became time to target the next great spam problem,... (>)

The Herbalking aftermath continues with a US federal judge ordering ringleader Lance Atkinson to pay the US Federal Trade Commission (FTC) a hefty US$15.5 million (£9.4 million). After already admitting his involvement to the New Zealand authorities last year now the FTC steps in with its findings:
The spam gang deceptively marketed products such as male-enhancement pills,... (>)

Two New Zealanders well known to Spamhaus have been fined for their roles in the biggest pharmaceutical spamming operation in the history of the internet, officials of the nation's Department of Internal Affairs (DIA) said on Monday.
They were part of a business based in Christchurch that sent more than two million unsolicited emails promoting Indian-made herbal products to New Zealand... (>)

While filtering methods for botnet spam are now quite effective, a new breed of static-IP address spammers has evolved, and their spam evades many filters. It is time to target the next great spam problem, "snowshoe" spam.
The Problem of Snowshoe... (>)

There is nothing like a visual representation to show how botnet spam traffic dries up when a major eastern European run host (in this case, USA routed) of the botnet Command & Control systems (C&C) is shut down. Below is a report from the CBL botnet spam detection system on the effect of a recent shut down.
These graphs are the total number of spams (per second) detected
as being sent... (>)

During the last week of May, 2009, some senders experienced mail rejected by yahoo.com which referenced Spamhaus PBL data. But when they looked up their IP address, it was not in any Spamhaus list. The error was not consistent, and sometimes resubmitting a message might result in its delivery. Yahoo! is aware of the problem and made this announcement on its... (>)

Last month we mentioned upcoming changes to ISP's PBL Account pages. We're pleased to announce that the first phase of those improvements is now up and running. While not visible to the public, an ISP logging in to their PBL Account will immediately see the upgrades.
The new ISP PBL Account pages:
Are designed to make it easier for ISPs to make accurate PBL Zone... (>)

We'd like to show you what some typical broadband space looks like in terms of spam-sending bots and Policy Block List (PBL) listings. Let's sample a few chunks of IPv4 space, count the spam bots, and map them graphically to visualize what those ranges look like. These are just examples, conveniently chosen based on our experience in dealing with countless ISP ranges and PBL listings. There is... (>)

Snowshoe spamming has been around for many years but during 2008 a few USA spammers honed the technique to a fine edge. It has grown rapidly for the past year and there is no indication that it will cease in the foreseeable future. As of February 2009, snowshoe spamming accounts for 20-30% of all connections at typical gTLD mail servers. It is the second... (>)

Following the October 2008 shut down of the largest US based host of trojan malware, botnet command and control systems (C&Cs) and DNS changer hosts (pharming), Intercage/Atrivo, another US based network specializing in hosting similar cybercrime has been taken off the Internet.
McColo is a bit different from Intercage/Atrivo in... (>)

A person well known to Spamhaus, Judy Devenow, one of long time spamming kingpin and convicted felon Alan Ralsky's gang, plead guilty to conspiracy and aiding fraud in a US Federal court. She admitted she had sent millions of spam e-mails a day to generate excitement about junk stocks while working for Ralsky who has been indicted,... (>)

The #1 worst spam gang on the Internet for much of 2007 and 2008, and active since at least 2005, has been indicted by the US Federal Trade Commission (FTC) in conjunction with simultaneous charges in New Zealand and possibly Australia & India. Several co-conspirators formed the HerbalKing spam gang. The primary... (>)

Or "Frea Speach," as spammers write with their notoriously bad spelling while yammering about their right to send spam. There is no right to send spam, of course, let alone anonymously. Almost a decade ago, in their decisions in AOL vs. Cyberpromo and Earthlink vs. Cyberpromo, U.S. courts of appeal ruled that spam is theft of service and trespass to chattels, both of which are civil offenses. And... (>)

When cybercrime is mentioned it never takes long for Russia and the Ukraine to enter the picture. However, while a lot of cybercriminals are based in those countries, a lot of their infrastructure is housed in the west, in the United States to be precise.
Without exception, all of the major security organizations on the Internet agree that the 'Home' of cybercrime in the western world is... (>)

Closed Loop Confirmed Opt In is the full technical term for the best opt-in subscription practice around. But whether you call it Confirmed, Verified, Double or any other adjective it still means the same thing: "Hey you! Subscriber! Is this really you who signed up for this list? Unless you respond, we won't send you more mail." The subscriber's response completes the loop and confirms their... (>)

There is lots of spam going around with funny subjects like "Mike Tyson to Fight Michael Jackson" or "Afghanistan to be 51st US State", or other equally absurd lines designed to hook unwary recipients into clicking the URL in the spam. Unfortunately, the results of following that link are not at all funny. The victim's computer will be infected with a Trojan horse, it will become part of a spam,... (>)

A lot of people are using our SBL and XBL lists to guard their mail infrastructure against the incoming floods of spam. While we encourage all SBL-XBL users to switch to ZEN to check the connecting IP, the SBL-XBL combination still has a very powerful, but lesser-known application area: use it against spamvertized URLs in the message content.
While the spam emitting bots move... (>)

There's been a lot of use of the term "ecosystem" in the e-mail industry lately. It's a good description of the complex environment that has grown up around Simple Mail Transport Protocol; it's no longer simple. But, like any ecosystem, it has many subsystems and niches within it. Among spammers in general, the botnet and black market spammers have... (>)

(From a discussion in a private anti-abuse industry workgroup list in November 2007 regarding the need for extensive restructuring of e-mail systems due to spam; reproduced with permission...)
Someone Else... (>)

One year ago this month, Spamhaus launched the Policy Block List, also known as the PBL. Now a year later we look back to see what effect it has had.
The PBL was created to be used together with our other DNSBL zones, the SBL and the XBL. At the same time... (>)

As reported by the Detroit Free Press on January 9, 2008, spammer Alan Ralsky of West Bloomfield, Michigan was brought into U.S. District Court in Detroit in handcuffs, escorted by FBI and US Postal Inspection Service agents who met him at the Detroit Metro Airport upon his return from Germany.
Spamhaus was pleased to report on the January 3rd, 2008,... (>)

The US Department of Justice went public on January 3rd with the indictment of Alan Ralsky and 10 others who helped him. Ralsky topped our Top 10 Worst Spammers list for quite some time and was involved in almost any sort of spam activity that's being... (>)

Anyone remotely involved in the fight against spam has heard of the Storm worm. While Storm has used a variety of social engineering tricks to propagate, the e-card method has always been a popular one. What better a moment to send an e-card than in this holiday season? That's probably why the Storm botnet gang began pumping... (>)

When the routes to the older IP address mapped to the Russian Business network began to no longer route on the internet, Spamhaus noticed a new set of IP addresses and ASN numbers mapping into the same upstream network. The Whois data for these showed Chinese company names and .cn/.tw email addresses.
... (>)

One of the most persistent professional spammers listed since 2003 on Spamhaus's Register Of Known Spam Operations (ROKSO) database, has been arrested in Seattle Washington in a joint operation conducted by the Washington State Attorney General's Office, the FBI, FTC, Internal Revenue Service Criminal Investigations and the United States Postal Inspection Service.... (>)

Microsoft Corporation has won what could be the largest award against a spammer in Europe thus far. Sadly, the victory does point out the failure of the British legal system to tackle spam. Microsoft's actions show that at this time, only private civil action can be used to deter spammers in the legal arena.... (>)

The Australian Communications Authority (ACA) has taken action against a spammer in the first case to be brought under Autralia's Spam Act. Spammer Wayne Mansfield, listed in Spamhaus ROKSO database, is charged with sending at least 56 million commercial emails in twelve months after the Spam Act 2003 commenced in April 2004. Most of the messages are believed to have been unsolicited and in breach of the Act. ... (>)

At the British-held Infosecurity Europe conference Lord Harris of Haringey warned the UK government of the serious threat to Critical National Infrastructure posed by groups of E-vandals and criminal gangs operating botnets, and urged the government to put a protection and response strategy in place. Lack of funding is seriously impacting the ability of law enforcemment agencies on both sides of the Atlantic to shut down botnet gangs.... (>)

Spam, now at 75% of all email traffic arriving at most ISPs mail servers, is set to increase still further thanks to new features in proxy hijacking software released by spammers. Many major email services report a large increase in spam coming directly from the major mail relays of other ISPs. Spamhaus sees this change and the increase in spam as a threat to be taken seriously, as unchecked, at the current pace spam levels could reach 95% of all email traffic by mid-2006.... (>)

Spammer Jeremy Jaynes, who operated using the alias 'Gaven Stubberfield' and was listed by Spamhaus as the 8th most prolific spammer in the world, has been convicted of spamming using deceptive routing information to hide the source. A Virginia court recommended Jaynes spend nine years in prison for sending hundreds of thousands of unsolicited bulk emails.... (>)

Spamhaus executives at the United Nations spam conference in Geneva had welcome news for the Australian delegation: Spamhaus is seeing a reduction in activity by the known Australian spammers. Since the introduction of Australia's strong anti-spam law, Australian spammers have started keeping a low profile, many appear to have almost ceased activities and at least one is known to have left the country. The Australian anti-spam law, is working.... (>)

For many months Spamhaus has been working with teams from Law Enforcement Agencies in the United States and United Kingdom helping put together cases against the known spammers. We are very pleased to see arrests of spammers by the FTC now taking place, and look forward to the many more arrests we know are on the way.... (>)

The Exploits Block List (XBL) is a realtime DNS-based database designed to stop spam from illegal 3rd party exploits, including open proxies, worms/viruses with built-in spam engines, and other types of trojan-horse exploits utilized by spammers.... (>)

Against the advice of all anti-spam organizations, the U.S. House of Representatives has passed the ill-fated CAN-SPAM Act, a bill backed overwhelmingly by spammers and dubbed the "YOU-CAN-SPAM" Act because it legalizes spamming.... (>)

The State of Virginia on Tuesday 29th April 2003 enacted the toughest anti-spam legislation of any US State so far, imposing harsh felony penalties for sending spam to computer users through deceptive means. Spammers who send Unsolicited Bulk Email to or from Virginia with a bogus return address, or via exploits such as stolen open proxies, now face criminal penalties, paying massive fines and spending up to five years in jail. The new law also empowers officials to seize the assets of those convicted of sending deceptive bulk e-mail.... (>)

The European Parliament has voted to ban Unsolicited Bulk Email. Article 13 of the Directive on processing of personal data and the protection of privacy in the electronic communications sector will guide legislation banning spam throughout the 15 European member countries. EU Members Austria, Denmark, Finland, Germany, Greece, and Italy as well as EFTA member Norway have already implemented 'opt-in' in their national legislation.... (>)